The templated catalog is an in-memory backend initialized from a read-only
template_file. Choose this option only if you know that your service
catalog will not change very much over time.

Note

Attempting to change your service catalog against this driver will result
in HTTP501NotImplemented errors. This is the expected behavior. If
you want to use these commands, you must instead use the SQL-based Service
Catalog driver.

The value of template_file is expected to be an absolute path to your
service catalog configuration. An example template_file is included in
keystone, however you should create your own to reflect your deployment.

To authenticate users against the Identity service, you must
create a service user for each OpenStack service. For example,
create a service user for the Compute, Block Storage, and
Networking services.

To configure the OpenStack services with service users,
create a project for all services and create users for each
service. Assign the admin role to each service user and
project pair. This role enables users to validate tokens and
authenticate and authorize other user requests.

A lot of operations in OpenStack require communication between multiple
services on behalf of the user. For example, the Image service storing the
user’s images in the Object Storage service. If the image is significantly
large, the operation might fail due to the user’s token having expired
during upload.

In the above scenarios, the Image service will attach both the user’s token
and its own token (called the service token), as per the diagram below.

When a service receives a call from another service, it validates that the
token has the appropriate roles for a service user. This is configured in each
individual service configuration, under the section [keystone_authtoken].

If the service token is valid, the operation will be allowed even if the
user’s token has expired.

The service_token_roles option is the list of roles that the service
token must contain to be a valid service token. In the previous steps, we have
assigned the admin role to service users, so set the option to that and set
service_token_roles_required to true.